If system policies do not meet your needs, you can create custom policies to implement fine-grained access control.
Prerequisites
Before you create a custom policy, make sure you understand the basic structure and syntax of the policy language. For more information, see Policy structure and syntax.
CADT custom policies
Cloud Architect Design Tools (CADT) provides three templates for common custom policies that you can configure:
|
Custom policy |
Description |
Sample file |
|
Read-only permissions |
Grants read-only access to CADT. |
|
|
Import permissions |
Grants permissions to use Resource Discovery in CADT and import resources. |
|
|
Management permissions |
Grants permissions to manage CADT. |
The sample files grant permissions for only a limited number of products. You must customize the policies to meet your specific requirements.
Procedure
Create a RAM user
-
Log in to the Resource Access Management (RAM) console.
-
Create a test user named
cadt-user. For more information, see Create a RAM user. In the left-side navigation pane, choose Identities > Users. On the Users page, find the cadt-user you created.
Create a CADT custom policy
-
Create a custom policy with read-only permissions. Log on to the RAM console. In the left-side navigation pane, choose Permissions > Policies, and then click Create Policy.
-
On the Create Policy page, click the JSON tab. Copy the content of the Read-only permission configuration file into the editor, and then click Next to edit policy information.
NoteThe script grants read-only permissions for a limited number of Alibaba Cloud services. You can customize the script to meet your specific requirements.
The script includes a policy statement for OSS. The actions include
oss:PutObject,oss:IsObjectExist,oss:ListObjects,oss:GetObject,oss:DeleteObject, andoss:GetBucket. The resource isacs:oss:*:*:cnfs-oss*. -
Name the policy "cadt-read-only" and click OK.
-
Similarly, create custom policies for import permissions (
cadt-import) and management permissions (cadt-deploy). On the Policies page, filter by Custom Policy to view the three CADT custom policies that you created: cadt-read-only, cadt-import, and cadt-deploy.
Permission verification
Read-only permission verification
Read-only permissions: Grants read-only access to CADT applications and Alibaba Cloud resources. For example, a user with these permissions can view applications and architectures in CADT, and check information such as the IP addresses and hostnames of ECS instances or RDS database endpoints. These permissions are suitable for daily development and testing tasks.
-
For testing, use an Alibaba Cloud account to deploy a simple application named CADT-Test that consists of an Elastic Compute Service (ECS) instance and an elastic IP address (EIP) by using CADT. The application CADT-Test shows a Deployed successfully status. Its architecture includes an elastic IP address (EIP), a Virtual Private Cloud (VPC) with the CIDR block
192.168.0.0/16, a vSwitch with the CIDR block192.168.0.0/24, a security group, and an ECS instance (2vCPU 4GiB). The deployment region is China (Beijing). -
Attach the
cadt-read-onlypolicy. In the RAM console, go to the Identities > Users page, select the checkbox next to cadt-user, and click Add Permissions. In the Add Permissions panel, set Authorization Scope to Alibaba Cloud Account. On the Custom Policy tab, select the cadt-read-only policy, and then click OK. -
Log in as the cadt-user to verify the permissions. In the RAM console, navigate to the Overview page. In the Basic Information section, find the User Logon URL, which is in the format
https://signin.aliyun.com/xxx.onaliyun.com/login.htm, and click Copy Logon URL. Use the copied URL to log in to the Alibaba Cloud console as the cadt-user. After you log on, click the user avatar in the upper-right corner to confirm that your current identity is the RAM user cadt-user (logon email: cadt-user@xxx.onaliyun.com). -
On the My Applications page of the CADT console, you can see the CADT-Test application and all other applications that are created by the Alibaba Cloud account. In the top navigation bar, choose Applications > My Applications. In the application list, you will see the CADT-Test application deployed by the Alibaba Cloud account with a status of 'Deployed successfully'.
-
View the details of a resource, such as the ECS instance. Open the application to view the deployed architecture. Click the ECS instance on the canvas to view its information. Click the Go to Console button at the bottom to open the console for the corresponding cloud resource. In the application details, you can view information about the deployed ECS instance. The instance state is Running, the region is China (Beijing), and the availability zone is Beijing Zone K.
-
You can create new applications, design architectures, and configure parameters, but you cannot save or deploy applications. The ECS Details panel shows configurations such as the instance type
ecs.c6.large (2c 4g), the pay-as-you-go billing method, and the Beijing Zone K availability zone. When you click the Save button in the upper-right corner, a message appears at the top of the page, indicating that you have insufficient permissions.
Import permission verification
Import permissions: Allows users to discover resources on Alibaba Cloud, design architectures, and create applications. In CADT, a user with these permissions can create applications, configure resources, import existing resources, perform Resource Verification, view the Price List, and view reports. However, the user cannot deploy resources.
-
Using your Alibaba Cloud account, remove the read-only policy from the
cadt-userRAM user and attach thecadt-importpolicy. On the details page for thecadt-user, go to the Permissions tab. Under Personal Permissions, confirm that the cadt-import custom policy is attached and the authorization scope is set to All Resources. -
Verify the permissions in CADT:
-
You can use Resource Discovery: In the top navigation bar of the CADT console, click Resources and select Resource Discovery. The Resource Discovery page includes a Select Resources to Discover dialog box, which supports filtering by the Untagged Resources checkbox, tag keys, tag values, and resource group names. It provides By Network and By Type views, and includes the Overview, Global Resources, Regional Resources, VPC Resources, and vSwitch Resources tabs. The table displays resource types, resource names, resource IDs, tags, and associated objects. At the bottom, you can click the Export Report and Generate Architecture Diagram buttons.
-
You can create applications, configure parameters, and save applications: In the CADT architecture design interface, you can view and edit architecture resources. The Elastic Compute Service (ECS) Details panel on the right allows you to configure parameters such as the billing method, availability zone, and instance type. After modification, the tab at the top displays a Modified status. After you save the changes, a Saved successfully message appears in the upper-right corner.
-
You can perform Resource Verification: In the Resource Verification dialog box, the verification result for all five cloud resources (vswitch, China (Beijing), security_group, eip, and ecs) is Succeeded, with the remark "Verification passed". The status at the bottom shows Verification passed. You can click Next: Price List to proceed.
-
You can check prices and view reports: After resource verification is successful, the Price List dialog box shows a Pricing succeeded status and lists the pay-as-you-go costs for resources such as ECS and EIP. You can click the View Report button to see the full report.
-
You cannot deploy resources: The Confirm Order page displays the resource list (EIP and ECS on a pay-as-you-go basis) with a Pricing succeeded status. A red permission error message appears in the upper-right corner: "4001: You are not authorized to perform this operation. Please contact the account owner or administrator to grant the required permissions." You can click the Add related permissions link to request authorization. You can click the Next: Pay and Create button at the bottom to proceed to the next step.
-
You can import existing resources: In the Virtual Private Cloud (VPC) Details panel in CADT, set Billing Method to Import Existing. In the Instance Name drop-down list, select an existing VPC instance. The instance ID is partially masked. The CIDR block is displayed as
192.168.0.0/16. The Deploy Resource toggle is visible at the top of the panel.
-
Management permission verification
Management permissions: Includes all import permissions, plus permission to deploy resources. To prevent accidental operations and reduce resource risks, this policy does not grant permission to use the Release All Resources feature. However, for routine O&M, you can delete resources individually from the architecture.
-
Using your Alibaba Cloud account, remove other policies from the
cadt-userRAM user and attach thecadt-deploypolicy. On the Permissions tab for the cadt-user RAM user, confirm that the cadt-deploy custom policy is attached and the authorization scope is set to All Resources. -
In addition to all import permissions, you can deploy resources. After you start to deploy an application, a dialog box indicates that the order is placed and resource deployment is in progress. Wait for the deployment to complete. After the deployment that is performed with the
cadt-deploypermission is complete, the page shows a Deployed successfully message. All resources in the architecture, such as the EIP, VPC (192.168.0.0/16), vSwitch (192.168.0.0/24), security group, and ECS instance (8vCPU 16GiB), show a deployed status. -
You cannot release all resources at once. Click the Release All Resources button in the bottom toolbar and click OK in the confirmation dialog box. An error message appears in the upper-right corner: "4001: You are not authorized to perform this operation. Please contact the account owner or administrator to grant the required permissions.", indicating that you do not have this permission.
-
You can delete individual resources from the architecture.
Right-click a target resource, such as the ecs instance, and select Delete from the context menu to delete deployed resources one by one. An orange × icon appears on the ecs instance, marking it for deletion. After you mark the resource for deletion, click Save and then Deploy Application to release the resource. After the ECS instance is deleted, only the eip, vpc [192.168.0.0/16], vswitch [192.168.0.0/24], and an empty security_group remain in the architecture. The connection between the eip and vpc is removed, which confirms that the permission verification is successful.